Pre-Installed Malware on Android Devices Expose Flaws in Supply Chain

Pencils come with erasers, books come with pages, and taxes (most of the time) come with returns. People like it when good pairs are bundled together in any deal, and that includes bundles in technology. A lot of devices we enjoy today come with pre-installed software. Most of the time, this pre-packaged software is designed to give users a sample of potential goods for their new device or simply enhance the device’s usefulness. Sometimes, however, things go awry—and malicious programs make their way onto devices before they even reach consumers. This is what’s known as a supply chain attack—and it’s currently playing out on 36 types of Android devices used by a large telecommunications company and multinational technology company.

To conduct this large scale attack, cybercriminals somehow managed to install several malware variants on devices somewhere along each device’s supply chain. The malware is varied, and include everything from data siphoning to ransomware.

In fact, according to Ars Technica, some of these devices are infected with malware that sits on its ROM (read-only memory), meaning that users can’t wipe the malware from their devices on their own. Using this “backdoor,” cybercriminals can expand control over a device, install additional malware applications, quietly disable security software and cause general havoc for users.

The troubling takeaway is that consumers shouldn’t assume devices aren’t necessarily “clean” and devoid of malware even if they’ve never been used before. If this attack had been repeated on an industry scale then, potentially, thousands of consumers are at risk.

So what can you do if you suspect your new (or old) device is infected with malware? Well, here are a few tips:

Always scan your device, even if it’s new. One of the first applications you should load onto a new device is an anti-malware scanner, like McAfee Mobile Security. These scanners often detect and alert users to malicious behavior on their devices. Some can even remove detected malware. In this case, if a malware variant is detected, new users can see if they can return their infected devices in exchange for a clean one.

Avoid discount devices. A lot of devices sold at a discount today can do so because they allow third parties to add pre-installed software to enhance a user’s experience. Sometimes, however, events like this happen. To avoid this, consider buying devices straight from the manufacturer (like Apple iPhones or Google Pixel). It’s more expensive, yes, but it lowers the likelihood that a pre-installed feature could really be pre-installed malware.

Use comprehensive security. Finally, this highlights the importance approaching cybersecurity from a comprehensive approach. Meaning, when you use any electronic device, you should assume it may become compromised in its de facto state and take steps to prevent that. Fortunately, security suites like McAfee LiveSafe™ help users to secure all of their devices—from mobile to desktop and beyond.